A team of computer security experts at the University of Glasgow have developed a set of recommendations to help defend against ‘thermal attacks’ which can steal personal information.
Thermal attacks use heat-sensitive cameras to read the traces of fingerprints left on surfaces like smartphone screens, computer keyboards and PIN pads. Hackers can use the relative intensity of heat traces across recently-touched surfaces to reconstruct users’ passwords.
Last year, Dr Mohamed Khamis and colleagues from the University of Glasgow set out to demonstrate how easily thermal images could be used to crack passwords.
The team developed ThermoSecure, a system which used AI to scan heat-trace images and correctly guess passwords in seconds, alerting many to the threat of thermal attacks.
Now, Dr Khamis and colleagues have put together the first comprehensive review of existing computer security strategies, and surveyed users on their preferences on how thermal attacks can be prevented at public payment devices like ATMs or transport ticket dispensers.
Their research, set to be presented as a paper at the USENIX Security Symposium conference in the USA on Friday 11 August, also includes advice to manufacturers on how their devices could be made more secure. USENIX Security is widely recognised as one of the leading conferences in the fields of computer security and cybersecurity.
The team identified 15 different approaches described in previous papers on computer security which could reduce the risk of thermal attacks.
Those included ways to reduce the transfer of heat from users’ hands, by wearing gloves or rubber thimbles, or changing the temperature of hands by touching something cold before typing.
Approaches suggested in the literature also included pressing hands against surfaces or breathing on them to obscure their fingerprint heat once they had finished typing.
Other suggestions for increased security focused on hardware and software. A heating element behind surfaces could erase traces of finger heat, or surfaces could be made from materials which dissipate heat more rapidly. Security on public surfaces could be increased by introducing a physical shield which covers keys until heat has dissipated. Alternatively, eye-tracking inputs or biometric security could reduce the risk of successful thermal attacks.
After their research on existing security measures, the team conducted an online survey with 306 participants. The survey aimed to determine users’ preferences among the strategies the team had identified, as well as asking their own thoughts about security measures they could adopt when using public devices like bank machines.
Dr Mohamed Khamis, of the University of Glasgow’s School of Computing Science, who led the research, said: “This is the first comprehensive literature review of security measures against thermal attacks, and our survey showed some interesting results. Intuitively, users suggested some strategies that weren’t in the literature, like waiting to use an ATM until their surroundings seemed safest. They were also keen on strategies that were already familiar, like two-factor authentication, because they were aware of their effectiveness. We also saw that they considered issues like hygiene, which made the strategy of breathing on devices to mask heat traces very unpopular, and privacy, which some users considered when thinking about additional security measures like face or fingerprint recognition.”
